Prior to AIX 5.3 TL7 and AIX 6.1,
there was an 8 character limit on AIX user passwords. If you need passwords of
greater than 8 characters then you must enable one of the supplied Loadable
Password Algorithms (LPAs). The following table lists the available algorithms
and the limitations of each:

For example, to enable the MD5 algorithm
I can modify /etc/security/login.cfg
file with the chsec command as follows:

# chsec -f
/etc/security/login.cfg -s usw -a pwd_algorithm=smd5

# tail -2
/etc/security/login.cfg

pwd_algorithm = smd5

This
algorithm (smd5) will allow a password limit of 255 characters. Each of the
available algorithms is listed in the /etc/security/pwdalg.cfg file.

* /usr/lib/security/ssha is a
password hashing load module using SHA and

* SHA2 algorithms. It
supports password length up to 255 characters.

*

* This LPA accepts three
options. The options are separated by commas.

...etc...

Once you’ve enabled
the LPA of your choice, and you set/change a users’ password, you’ll notice
that the /etc/security/passwd stanza
for that user will look different when compared to the stanzas of users that
have not had their password set/changed using the new LPA:

fred:

password = E7nOaTrrz9Q16

lastupdate = 1330986703

flags = ADMCHG

joe:

password = {smd5}z9JrHDJB$Oq/cZXr0jUyAWvfFyjt161

lastupdate = 1330987903

flags = ADMCHG

In the example above,
user joe’s password has been set using the smd5 algorithm.

For those of you who
run PowerHA (HACMP) and are thinking about using one of the LPAs with the clpasswd utility, you may want to
review this APAR first:

The APAR states “HACMP
cluster-wide C-SPOC password administration does not support use of the feature
allowing passwords longer than 8 characters which became available with the
Loadable Password Algorithm as part of AIX 53 TL 7.”

The last time I tested this with PowerHA, the problem was
that the password entry in /etc/security/passwd
was corrupted/truncated when a users password was changed using the clpasswd utility.

For example, if the passwd
utility is linked to clpasswd and I
changed a users password, the password field appeared to be corrupted/truncated
and the user could not log in successfully:

I’ve not tried this again recently but I am curious if the
same behaviour can be expected on a PowerHA system today. When I first encountered
this problem (in 2008) I opened a PMR for the issue. In that call I was told
that the “clpasswd utility is corrupting the encrypted password when
distributing to the nodes, so that a login fails”. I’ll configure a HA
cluster soon and try it again with PowerHA 6.1 and AIX 6.1 and report back with
the results.

UPDATE: I built a HA 6.1 cluster (on AIX 6.1) this afternoon in
my lab and tested this successfully. Based on the tests I’ve performed so far,
it appears that this limitation no longer exists. Thanks to hafeedbk@us.ibm.com for the help on this
one.

The following IBM
tech note has more information on the available Loadable Password Algorithms
and support for longer than 8 character passwords on AIX: